Old friend and former MS MVP, Joel Dubin (The IT Security Guy), has tons of experience dealing with PCI working with Trustwave. So I thought he was the perfect person to review this book. Thankfully he said yes. Much appreciated.

The Payment Card Industry Data Security Standard (PCI DSS) has taken it on the chin recently. With several high profile breaches of credit card numbers, some critics of the industry standard have said it either isn’t strong enough, or should be abolished altogether. But as Dr. Anton Chuvakin and Branden Williams correctly point out in the second edition of their book, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, PCI is here to stay.

This is no ordinary field manual to the PCI standard. It isn’t a book, for example, that a PCI auditor, called a Qualified Security Assessor (QSA), would have open on their lap as a reference while working with a client. Instead it carefully weaves together PCI, which is considered compliance, with IT security. In fact, it also discusses PCI in the universe of other regulatory compliance standards, like SOX and HIPAA, which also give IT managers plenty of headaches.

The book correctly notes that compliance isn’t the same as security, a common misconception of PCI critics, but that it is part of a sound IT security program covering both bases, compliance and security, and not narrowly focused on PCI, but other standards, as well. That’s good news for IT managers suffering from compliance fatigue and looking for a single path to handle not just security but all the other regulations they face. PCI might not be a cure-all, but the IT security it requires can go a long way toward that single path.

Nice review Joel, I was in two minds whether to pick this one up as I was concerned it might just be a re-hash of the PCI requirements with some 'explanation' that didn't go beyond what you would already know.

Sounds like it goes beyond what I was concerned about, I'll add it to my already increasing To Read list.

P.S. On a side note one of Joel's examples jogged my memory; I was waiting for the missus outside a shop bored recently and fired up my phone's wireless scanner to be nosey. Didn't want to poke around too much but found an SSID of 'epos' running WEP, could be interesting...